Setting up Brocade Switches to do Tacacs+ authentication with Cisco ACS

This was a fun one, I had some issues with getting my Brocade switches to continue doing Radius auth with my Cisco ACS so I switched to TACACS+ for them. Had a few issues, but was able to piece this configuration together and have it work correctly.

First setup your servers on the Brocade Side, I find it easiest to work on the command line and define everything that is needed.

aaaconfig –add (first ip) -conf tacacs+ -p 49 -s (secret) -t 5 -a pap
aaaconfig –add (second ip) -conf tacacs+ -p 49 -s (secret) -t 5 -a pap
aaaconfig –authspec tacacs+

The important thing to note here is to use PAP for authentication if you are doing this against Active Directory. AD will not support CHAP which is the default on the Brocade Switches.

Once that is setup you now have no access into your Brocade devices because they are doing TACACS+ authentication and you haven’t defined them on the ACS server yet. Lets take care of that part.

Log into ACS:

Navigate to Device Administration/Shell Profiles, Create a new one, I called mine BROCADE-TAC. Once created click on the “Custom Attributes” and put in the following:shell profileThis will ensure that when you log in, you will log in as an admin on the Switch.

Once this is done go to your Access Polices/Device Admin or whatever you have it called that does your Tacacs Rule authentication. Create a new line in there and then choose your Active Directory login/groupsauth policyThen under Shell Profile, choose the one that you created before. Now depending on your environment you may want to define a specific command set. In my case I am just using Permit All, but you can create different sets for different users depending on what you are trying to limit and who has access to your device. So if you had operators you could permit the show commands or some limited feature set for a junior admin. I only have a few people that log in and they all needed to be full admins, so this was the best choice for me. Mainly we wanted to make sure that we had auditing turned on and would know when someone was logged in making changes to the devices.



Brocade Authorization against Cisco ACS 5.3

As I have continued my on the job training with Brocade I came across the fact that we were just using a simple username/password for login.  I decided to integrate it into our production Cisco ACS environment.  Unfortunately there wasn’t a document on doing this for version 5.3.  I had to amend the 4.x information from Brocade.  I figured I would document it here for anyone else that was interested.

I am making the assumption you are:

  1. comfortable with the CLI on Brocade
  2. that you know how to add RADIUS VSA attributes to the ACS server

I used two documents from Brocade to set this up.  The first was Chapter 5 of the FOS admin guide.  This was useful in setting up the Radius Server and setting up the auth parameters.  Namely Radius First, Local second only if the Radius server is not reachable.  Here are the important parts out of the FOS admin guide:

Adding a RADIUS or LDAP server to the switch configuration
1. Connect to the switch and log in using an account with admin permissions.

2. Enter the aaaConfig –add command.

Configuring local authentication as backup
It is useful to enable local authentication so that the switch can take over authentication locally if the RADIUS or LDAP servers fail to respond because of power outage or network problems. Example of enabling local authentication, enter the following command for RADIUS

switch:admin> aaaconfig –authspec “radius;local” –backup

The other document that I used was an ACS_FOS Doc from Brocade.  The important part out of that were the FOS attributes for Radius, so from this:

[User Defined Vendor]
IETF Code=1588

VSA 1=Brocade-Auth-Role
VSA 2=Brocade-AVPairs1
VSA 3=Brocade-AVPairs2
VSA 4=Brocade-AVPairs3
VSA 5=Brocade-AVPairs4
VSA 6=Brocade-Passwd-ExpiryDate
VSA 7=Brocade-Passwd-WarnPeriod


I set up this:

The other part that was useful was this section on what to put in for the admin section:

Under “Brocade-Auth-Role” enter “admin” for administrator

This value is the pre-defined user roles in FOS. Examples are:


Which on ACS gave me this:

Now based on the User that logins I can control what access they have into our Brocade environment. This also has the added benefit of allowing us to audit the users that are logging into Brocade so that I don’t have to worry about changes being made by unauthorized/authorized people. I hope this helps someone else and saves them from having to hunt around and find the information.